title: Python Startup Hooks (T1546.018)
id: df00tech-t1546-018
status: experimental
description: "Adversaries may establish persistence by adding malicious content to Python startup hooks. Python offers several mechanisms that execute code when the interpreter starts. The PYTHONSTARTUP environment variable points to a Python script that executes in interactive mode before the first prompt. The usercustomize.py and sitecustomize.py files execute automatically when Python starts for all users (sitecustomize.py) or the current user (usercustomize.py). The PYTHONPATH and sys.path list directories where Python searches for modules — adversaries can inject malicious modules here. Additionally, .pth files in site-packages directories can execute arbitrary Python code on interpreter startup via import statements."
references:
  - https://attack.mitre.org/techniques/T1546/018/
  - https://df00tech.com/detections/T1546.018
author: df00tech
date: 2026/04/20
tags:
  - attack.t1546.018
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Python package installation (pip, conda, poetry) that creates or modifies sitecustomize.py or .pth files as part of package setup"
  - "Python virtual environment creation (venv, virtualenv) that initializes site-packages with standard configuration files including .pth files"
  - "Development tools (IPython, Jupyter, pytest) that install startup hooks for their configuration"
  - System Python configuration management by system administrators that modifies PYTHONPATH for shared Python installations
level: high